Skillv0.0.3

ClawScan security

Polymarket Sports Live Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:20 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, declared dependency, and required credential line up with its stated purpose (Polymarket trading) and it defaults to safe paper trading, but provenance is minimal so exercise normal caution.
Guidance: This skill appears internally consistent for trading Polymarket markets: it only needs SIMMER_API_KEY and depends on simmer-sdk. Recommended before installing: (1) verify the simmer-sdk PyPI/GitHub project and maintainer are legitimate, (2) store SIMMER_API_KEY in a secure secrets manager and avoid pasting it in public logs, (3) run the skill in paper mode (default) and review logs/output before using --live, (4) review the full trader.py (and any simmer-sdk code) yourself or in a sandbox to ensure there are no hidden network calls or exfiltration, and (5) be cautious because the skill's source/homepage are missing — limited provenance increases supply-chain risk.

Review Dimensions

Purpose & Capability: okName/description say 'Polymarket sports trader' and the package requires only a Simmer API key and the simmer-sdk; the code (trader.py) implements market discovery, signal computation, and trade execution against Simmer/Polymarket — these requirements are proportionate to the stated purpose. Note: publisher/homepage is missing (source unknown), which reduces provenance and increases supply-chain risk.
Instruction Scope: okSKILL.md instructions and trader.py focus on market discovery, sizing rules, and execution. The skill documents that it defaults to simulation and only does live trades with an explicit --live flag. SKILL.md mentions optional external data sources (e.g., ESPN hidden API) as remix ideas but does not mandate or embed unrelated data collection in the provided files.
Install Mechanism: noteThere is no install script in the bundle; clawhub.json declares a pip dependency on 'simmer-sdk' (PyPI + GitHub links provided in SKILL.md). This is expected for a Simmer-based trader, but pip dependencies are an attack surface — verify the simmer-sdk package and its maintainers before installing. No arbitrary downloads or extract steps are present in the skill bundle itself.
Credentials: okThe skill requires a single high-value credential (SIMMER_API_KEY) which is appropriate for a trading client. Tunables are surfaced via SIMMER_* environment variables and are consistent between clawhub.json and trader.py. The SKILL.md explicitly warns SIMMER_API_KEY is high-value. No unrelated credentials or config paths are requested.
Persistence & Privilege: okautostart is false and always is not set; the skill is user-invocable and can run autonomously per platform defaults but does not force inclusion. The automaton entrypoint points to trader.py (managed=true) which is normal for a runnable skill; there is no 'always: true' or indication it modifies other skills or global agent config.